You're aware you can add whatever you want into DNS, it doesn't have to mean anything that computers understand right? you /could/ make your A records the intro to Star Wars- but nobody will be able to use your site.
TXT is a much better option imho, or.. y'know, not doing this.
TXT isn't an option because the records themselves are unsorted. Use the above command without the pipe to sort looks weird, but not as weird as TXT would.
I really don't think you need to use NAPTR here. Using TXT works just fine, if you do a sort, if you prepend line numbers to the records. Alas, you still have to do a sort. It would be wonderful if there was a hack that involved not using the sort. Here's one I just added: dig txt art.ten7.com |sort
A lot of VoIP deployments simply ignore the whole DNS side of things, or at best use an A record. Especially in wholesale, it's IP only (using domains breaks some things), and authentication is based on IP, too. (Source IP on a UDP packet - very secure.)
Regular expressions in DNS records? That sounds like it would be an easy possibility of exponential resource consumption: http://en.wikipedia.org/wiki/ReDoS
After a quick Google, it turns out some versions of ISC BIND were vulnerable to this... but I'm almost willing to bet a lot of other software that handles NAPTR could be as well.
What happens if someone chops up binary data such as a copyright movie file BASE64 encoded into DNS text records? Does all the DNS operators with that in the cache become illegal file sharers then?
Loot at entry 9, they use a similar hack to distribute the DeCSS (DVD DRM decryption program) source code through DNS.
> Mark Baker noticed that you could do the request to any nameserver. Which means for instance that the DeCSS source code is available from the DVDCCA's nameservers !
31 comments
[ 3.6 ms ] story [ 79.9 ms ] threadYou're aware you can add whatever you want into DNS, it doesn't have to mean anything that computers understand right? you /could/ make your A records the intro to Star Wars- but nobody will be able to use your site.
TXT is a much better option imho, or.. y'know, not doing this.
Using TXT for artwork also has the advantage that you don't risk an intermediate resolver re-ordering things.
Source: When this came up about a month ago: https://news.ycombinator.com/item?id=7185326
dig +short txt log.netkine.com | sed $'s/\" \"/\\\n/g'
A lot of VoIP deployments simply ignore the whole DNS side of things, or at best use an A record. Especially in wholesale, it's IP only (using domains breaks some things), and authentication is based on IP, too. (Source IP on a UDP packet - very secure.)
thus DNS amplification is impossible because spoofing the TCP source would fail a handshake.
and in case you want to learn about NAPTR: http://www.ietf.org/rfc/rfc2915.txt
After a quick Google, it turns out some versions of ISC BIND were vulnerable to this... but I'm almost willing to bet a lot of other software that handles NAPTR could be as well.
[1]: https://code.google.com/p/re2/
great work though
Loot at entry 9, they use a similar hack to distribute the DeCSS (DVD DRM decryption program) source code through DNS.
> Mark Baker noticed that you could do the request to any nameserver. Which means for instance that the DeCSS source code is available from the DVDCCA's nameservers !